APT groups use ransomware TTPs as cover for intelligence gathering and sabotage

State-sponsored threat groups increasingly use ransomware-like attacks as cover to hide more insidious activities.

Russian advanced persistent threat (APT) group Sandworm used ransomware programs to destroy data multiple times over the past six months while North Korea's Lazarus group used infrastructure previously associated with a ransomware group for intelligence gathering campaigns.

At the same time, some Chinese APTs that were traditionally targeting entities in Asia shifted their focus to European companies, while Iran-based groups that traditionally targeted Israeli companies started going after their foreign subsidiaries.

At least one North Korean group that was focused on South Korea and Russia has started using English in its operations. All these operational changes suggest organisations and companies from Western countries are at increased risk from APT activity.

Destructive cyber attacks in Ukraine support Russia's war efforts

In the last months of 2022, Sandworm continued its data wiping attacks against Ukrainian organisations, but expanded its efforts to organisations from countries that are strong supporters of Ukraine, such as Poland, according to a new report by cyber security firm ESET. Sandworm is believed to operate as a unit inside Russia's military intelligence agency, the GRU.

Sandworm has launched destructive attacks against Ukrainian organisations for years. It is credited with the attacks against the Ukrainian energy infrastructure that caused blackouts in the country in 2015 as well as the destructive ransomware-like attack NotPetya in 2017 that started as a software supply chain attack against a Ukrainian software company but ended up impacted international organisations as well.

Since the beginning of the war the ESET researchers have attributed two data wiping programs called CaddyWiper and HermeticWiper used in Ukraine to Sandworm. The group is also suspected to have tried to disrupt the Ukrainian power grid in April using a new malware program called Industroyer2.

In October, ESET saw new variants of both CaddyWiper and HermeticWiper, but also a new data wiper attributed to Sandworm called NikoWiper. This last wiper is based on SDelete, a Microsoft utility for securely deleting files and was used against a Ukrainian company from the energy sector.

"This attack happened around the same period that the Russian armed forces targeted Ukrainian energy infrastructure with missile strikes," the ESET researchers said. "Even if we were unable to demonstrate any coordination between those events, it suggests that both Sandworm and the Russian armed forces have the same objectives."

Aside from data wiping malware, Sandworm seems to continue its tactics of repurposing ransomware. The difference between data wipers and ransomware programs is that the latter encrypts files instead of deleting them, but both have the effect of making data inaccessible.

The ESET researchers attribute October attacks with a ransomware program called Prestige against Ukrainian and Polish logistics companies to Sandworm. A month later, the group used another ransomware program called RansomBoggs against Ukrainian organisations. This ransomware program was written in .NET and had references to the Monsters Inc. animated movie.

"In those attacks, ransomware was used but the final objective was the same as for the wipers: data destruction," the ESET researchers said. "Contrary to traditional ransomware attacks, here the attackers do not aim to provide the key to decrypt the encrypted data."

It's likely that these destructive attacks will continue and like with the Prestige ransomware case, they could extend to organisations from countries that provide military and logistics support to Ukraine. Just last week, the ESET team discovered yet another wiper program that they attributed to Sandworm and dubbed SwiftSlicer. This wiper is written in Go and is deployed on networks through Active Directory Group Policy.

APT groups use ransomware in false flag operations

Other APT groups might not use ransomware programs directly, but could use tactics, techniques, and procedures (TTPs) associated with known ransomware groups to hide their activities. These are known in the security industry as false flag operations.

Most ransomware groups now exfiltrate data to ransom it before encrypting it locally. This data theft can be a good cover for cyber espionage.

Security firm WithSecure recently investigated an attack campaign that initially was suspected to be caused by the BianLian ransomware group.

Closer investigation revealed that it was actually an intelligence gathering operation by North Korean state-sponsored Lazarus group that targeted public and private research organisations from the medical research and energy sectors, as well as their supply chain.

North Korea has multiple APT groups that sometimes share tooling, but which are believed to be controlled by different government agencies or departments. Lazarus, APT38, and Andariel (also known as Silent Chollima) are groups attributed to the 3rd Bureau of the Foreign Intelligence and Reconnaissance General Bureau, North Korea's foreign intelligence agency.

Another group called Kimsuky is attributed to the 5th Bureau -- Inter-Korean Affairs and deals with operations targeting mainly South Korea. Another group, tracked as APT37 that also targets mainly South Korea, is attributed to the North Korean Ministry of State Security.

Many of the observed TTPs and collected tools have previously been attributed by other researchers to Kimsuky or Lazarus groups," the WithSecure researchers said in their new report. "The fact that references to both groups are observed could highlight the sharing of tooling and capabilities between North Korean threat actors."

The researchers found malware similar to one called GREASE that was previously attributed to Kimsuky. In this incident WithSecure observed usage of a malware similar to GREASE, also previously attributed to Kimsuky.

Another recovered malware was a custom version of Dtrack, a remote access Trojan (RAT), with a configuration very similar to one used by Lazarus in an attack against the Indian Kudankulam Nuclear Power Plant in 2019. The researchers also found usage of Putty Plink and 3Proxy, two tools previously observed in other Lazarus campaigns.

The overlap with BianLian ransomware was the use of a command-and-control server hosted at an IP address previously used by BianLian attackers. Lazarus and North Korean APTs have a history of using ransomware in their attacks, both as cover and to profit. This include the major WannaCry ransomware worm of 2017 that impacted organisations from around the world.

In July, CISA issued an alert that North Korean state-sponsored actors were using the Maui ransomware to target the healthcare and public health sectors. Due to the strict economic sanctions that the North Korean government is facing, its hacking arms frequently engage in activity that is more akin to cyber crime than cyber espionage.

"In various parts of the world, North Korea-aligned groups used old exploits to compromise cryptocurrency firms and exchanges. Interestingly, Konni has expanded the repertoire of languages it uses in its decoy documents to include English, which means it might not be aiming at its usual Russian and Korean targets," the ESET researchers said in their new report on APT activity.